Jump to content

trojan agent reg key removal pls advise


Recommended Posts

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:05:21 PM, on 1/25/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\VM303_STI.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe

C:\program files\steam\steam.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Program Files\SPACE INTERNATIONAL\CDSpace 5\LCDPlyer.exe

C:\Program Files\LimeWire\LimeWire.exe

C:\Program Files\Vidalia Bundle\Tor\tor.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Linksys Wireless-G PCI Adapter with SRX\WLService.exe

C:\Program Files\Linksys Wireless-G PCI Adapter with SRX\WMP54GX.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\WINDOWS\regedit.exe

C:\Program Files\Ventrilo\Ventrilo.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [bigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"

O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent

O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t

O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

O4 - Global Startup: LCDPlayer.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - AppInit_DLLs: nlycoo.dll

O20 - Winlogon Notify: mlJBTlMD - mlJBTlMD.dll (file missing)

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing)

O23 - Service: Fast Track Installer (FastTrackInstallerService) - Unknown owner - C:\Program Files\M-Audio Fast Track\GBInst.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: WMP54GXSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Adapter with SRX\WLService.exe

--

End of file - 6783 bytes

Malwarebytes' Anti-Malware 1.33

Database version: 1684

Windows 5.1.2600 Service Pack 2

1/25/2009 6:13:22 PM

mbam-log-2009-01-25 (18-13-20).txt

Scan type: Quick Scan

Objects scanned: 50206

Time elapsed: 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

i have also ran this scan

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-01-25 17:53:51

Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

INT 0x62 ? 8A8D3BF8

INT 0x63 ? 8A688BF8

INT 0x73 ? 8A688BF8

INT 0x73 ? 8A688BF8

INT 0x82 ? 8A8D3BF8

INT 0x83 ? 8A8D3BF8

INT 0x84 ? 8A688BF8

INT 0xA4 ? 8A688BF8

Code 89DADA90 ZwEnumerateKey

Code 89DADB48 ZwFlushInstructionCache

Code B4DE8323 pIofCallDriver

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B528A 5 Bytes JMP 89DADB4C

PAGE ntkrnlpa.exe!ZwEnumerateKey 80622950 5 Bytes JMP 89DADA94

? bpeercj.sys The system cannot find the file specified. !

? spiy.sys The system cannot find the file specified. !

.text USBPORT.SYS!DllUnload B79A162C 5 Bytes JMP 8A6881D8

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\MSN Messenger\MsnMsgr.Exe[740] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\MsnMsgr.Exe (Messenger/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [bA6A9040] spiy.sys

IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [bA6A913C] spiy.sys

IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [bA6A90BE] spiy.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [bA6A97FC] spiy.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [bA6A96D2] spiy.sys

IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [bA6B9048] spiy.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A8D21F8

Device \FileSystem\Fastfat \FatCdrom 88186320

Device \Driver\usbohci \Device\USBPDO-0 8A6861F8

Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A8631F8

Device \Driver\dmio \Device\DmControl\DmConfig 8A8631F8

Device \Driver\dmio \Device\DmControl\DmPnP 8A8631F8

Device \Driver\dmio \Device\DmControl\DmInfo 8A8631F8

Device \Driver\usbohci \Device\USBPDO-1 8A6861F8

Device \Driver\PCI_PNP3368 \Device\00000052 spiy.sys

Device \Driver\usbohci \Device\USBPDO-2 8A6861F8

Device \Driver\usbohci \Device\USBPDO-3 8A6861F8

Device \Driver\usbohci \Device\USBPDO-4 8A6861F8

Device \Driver\usbehci \Device\USBPDO-5 8A63C1F8

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A8D41F8

Device \Driver\NetBT \Device\NetBT_Tcpip_{72702F06-F450-47C2-A1C4-7D228F1326A7} 898FC1F8

Device \Driver\Cdrom \Device\CdRom0 8A6231F8

Device \Driver\Cdrom \Device\CdRom1 8A6231F8

Device \Driver\atapi \Device\Ide\IdePort0 8A8D31F8

Device \Driver\atapi \Device\Ide\IdePort1 8A8D31F8

Device \Driver\atapi \Device\Ide\IdePort2 8A8D31F8

Device \Driver\atapi \Device\Ide\IdePort3 8A8D31F8

Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-12 8A8D31F8

Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-a 8A8D31F8

Device \Driver\Cdrom \Device\CdRom2 8A6231F8

Device \Driver\sptd \Device\2767887118 spiy.sys

Device \Driver\NetBT \Device\NetBt_Wins_Export 898FC1F8

Device \Driver\NetBT \Device\NetbiosSmb 898FC1F8

Device \Driver\NetBT \Device\NetBT_Tcpip_{A902EF5F-D631-4E5B-ACE8-4A99B0A65BC1} 898FC1F8

Device \Driver\usbohci \Device\USBFDO-0 8A6861F8

Device \Driver\usbohci \Device\USBFDO-1 8A6861F8

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 898BF1F8

Device \Driver\usbohci \Device\USBFDO-2 8A6861F8

Device \FileSystem\MRxSmb \Device\LanmanRedirector 898BF1F8

Device \Driver\TwoRabts \Device\0000007c 8A4C31F8

Device \Driver\usbohci \Device\USBFDO-3 8A6861F8

Device \Driver\usbohci \Device\USBFDO-4 8A6861F8

Device \Driver\Ftdisk \Device\FtControl 8A8D41F8

Device \Driver\usbehci \Device\USBFDO-5 8A63C1F8

Device \Driver\cdspacex \Device\Scsi\cdspacex1Port5Path0Target0Lun0 898C6500

Device \Driver\cdspacex \Device\Scsi\cdspacex1 898C6500

Device \Driver\aoi651yh \Device\Scsi\aoi651yh1Port4Path0Target0Lun0 8A5711F8

Device \Driver\aoi651yh \Device\Scsi\aoi651yh1 8A5711F8

Device \FileSystem\Fastfat \Fat 88186320

Device \FileSystem\Cdfs \Cdfs 8A4452C0

---- Modules - GMER 1.0.14 ----

Module \systemroot\system32\drivers\senekamimgqldm.sys (*** hidden *** ) B4DE6000-B4E05000 (126976 bytes)

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\drivers\senekamimgqldm.sys (*** hidden *** ) [sYSTEM] seneka <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x36 0x48 0xDC 0x66 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x9A 0x96 0x1F 0xAC ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x45 0x95 0x76 0x3C ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka

Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@imagepath \systemroot\system32\drivers\senekamimgqldm.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@seneka.dll \systemroot\system32\senekagsiaelje.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@seneka.sys \systemroot\system32\drivers\senekamimgqldm.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@senekalog.dat \systemroot\system32\senekawfpshfep.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@senekawi.dll \systemroot\system32\senekajnwtdwok.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@seneka.dat \systemroot\system32\senekaptvviguy.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x36 0x48 0xDC 0x66 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x84 0x6A 0x61 0xAF ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x31 0x63 0x71 0x04 ...

Reg HKLM\SYSTEM\ControlSet004\Services\seneka

Reg HKLM\SYSTEM\ControlSet004\Services\seneka@start 1

Reg HKLM\SYSTEM\ControlSet004\Services\seneka@type 1

Reg HKLM\SYSTEM\ControlSet004\Services\seneka@imagepath \systemroot\system32\drivers\senekamimgqldm.sys

Reg HKLM\SYSTEM\ControlSet004\Services\seneka@group file system

Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules

Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@seneka.dll \systemroot\system32\senekagsiaelje.dll

Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@seneka.sys \systemroot\system32\drivers\senekamimgqldm.sys

Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@senekalog.dat \systemroot\system32\senekawfpshfep.dat

Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@senekawi.dll \systemroot\system32\senekajnwtdwok.dll

Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@seneka.dat \systemroot\system32\senekaptvviguy.dat

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x36 0x48 0xDC 0x66 ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x84 0x6A 0x61 0xAF ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x31 0x63 0x71 0x04 ...

---- EOF - GMER 1.0.14 ----

Link to post
Share on other sites

Welcome to Malwarebytes!!!! :)

Please update MBAM and run another quick scan. In your next reply, please post the MBAM log followed by a fresh GMER log. Thanks

Malwarebytes Anti-Malware detects that rooter, but usually the service needs cleaning up. Just need to make sure. Thanks

Link to post
Share on other sites

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-01-27 03:04:09

Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

INT 0x62 ? 8A8D3BF8

INT 0x63 ? 8A688BF8

INT 0x73 ? 8A688BF8

INT 0x73 ? 8A688BF8

INT 0x82 ? 8A8D3BF8

INT 0x83 ? 8A8D3BF8

INT 0x84 ? 8A688BF8

INT 0xA4 ? 8A688BF8

Code 89DADA90 ZwEnumerateKey

Code 89DADB48 ZwFlushInstructionCache

Code B4DE8323 pIofCallDriver

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B528A 5 Bytes JMP 89DADB4C

PAGE ntkrnlpa.exe!ZwEnumerateKey 80622950 5 Bytes JMP 89DADA94

? bpeercj.sys The system cannot find the file specified. !

? spiy.sys The system cannot find the file specified. !

.text USBPORT.SYS!DllUnload B79A162C 5 Bytes JMP 8A6881D8

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\MSN Messenger\MsnMsgr.Exe[740] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\MsnMsgr.Exe (Messenger/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [bA6A9040] spiy.sys

IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [bA6A913C] spiy.sys

IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [bA6A90BE] spiy.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [bA6A97FC] spiy.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [bA6A96D2] spiy.sys

IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [bA6B9048] spiy.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A8D21F8

Device \FileSystem\Fastfat \FatCdrom 88186320

Device \Driver\usbohci \Device\USBPDO-0 8A6861F8

Device \Driver\usbohci \Device\USBPDO-1 8A6861F8

Device \Driver\PCI_PNP3368 \Device\00000052 spiy.sys

Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A8631F8

Device \Driver\dmio \Device\DmControl\DmConfig 8A8631F8

Device \Driver\dmio \Device\DmControl\DmPnP 8A8631F8

Device \Driver\dmio \Device\DmControl\DmInfo 8A8631F8

Device \Driver\usbohci \Device\USBPDO-2 8A6861F8

Device \Driver\usbohci \Device\USBPDO-3 8A6861F8

Device \Driver\usbohci \Device\USBPDO-4 8A6861F8

Device \Driver\usbehci \Device\USBPDO-5 8A63C1F8

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A8D41F8

Device \Driver\NetBT \Device\NetBT_Tcpip_{72702F06-F450-47C2-A1C4-7D228F1326A7} 898FC1F8

Device \Driver\Cdrom \Device\CdRom0 8A6231F8

Device \Driver\Cdrom \Device\CdRom1 8A6231F8

Device \Driver\atapi \Device\Ide\IdePort0 8A8D31F8

Device \Driver\atapi \Device\Ide\IdePort1 8A8D31F8

Device \Driver\atapi \Device\Ide\IdePort2 8A8D31F8

Device \Driver\atapi \Device\Ide\IdePort3 8A8D31F8

Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-12 8A8D31F8

Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-a 8A8D31F8

Device \Driver\Cdrom \Device\CdRom2 8A6231F8

Device \Driver\sptd \Device\2767887118 spiy.sys

Device \Driver\NetBT \Device\NetBt_Wins_Export 898FC1F8

Device \Driver\NetBT \Device\NetbiosSmb 898FC1F8

Device \Driver\NetBT \Device\NetBT_Tcpip_{A902EF5F-D631-4E5B-ACE8-4A99B0A65BC1} 898FC1F8

Device \Driver\usbohci \Device\USBFDO-0 8A6861F8

Device \Driver\usbohci \Device\USBFDO-1 8A6861F8

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 898BF1F8

Device \Driver\usbohci \Device\USBFDO-2 8A6861F8

Device \FileSystem\MRxSmb \Device\LanmanRedirector 898BF1F8

Device \Driver\usbohci \Device\USBFDO-3 8A6861F8

Device \Driver\TwoRabts \Device\0000007c 8A4C31F8

Device \Driver\Ftdisk \Device\FtControl 8A8D41F8

Device \Driver\usbohci \Device\USBFDO-4 8A6861F8

Device \Driver\usbehci \Device\USBFDO-5 8A63C1F8

Device \Driver\USBSTOR \Device\0000008b 882A8500

Device \Driver\USBSTOR \Device\0000008c 882A8500

Device \Driver\cdspacex \Device\Scsi\cdspacex1Port5Path0Target0Lun0 898C6500

Device \Driver\cdspacex \Device\Scsi\cdspacex1 898C6500

Device \Driver\aoi651yh \Device\Scsi\aoi651yh1Port4Path0Target0Lun0 8A5711F8

Device \Driver\aoi651yh \Device\Scsi\aoi651yh1 8A5711F8

Device \FileSystem\Fastfat \Fat 88186320

Device \FileSystem\Cdfs \Cdfs 8A4452C0

---- Modules - GMER 1.0.14 ----

Module \systemroot\system32\drivers\senekamimgqldm.sys (*** hidden *** ) B4DE6000-B4E05000 (126976 bytes)

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\drivers\senekamimgqldm.sys (*** hidden *** ) [sYSTEM] seneka <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x36 0x48 0xDC 0x66 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x9A 0x96 0x1F 0xAC ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x45 0x95 0x76 0x3C ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka

Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@imagepath \systemroot\system32\drivers\senekamimgqldm.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@seneka.dll \systemroot\system32\senekagsiaelje.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@seneka.sys \systemroot\system32\drivers\senekamimgqldm.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@senekalog.dat \systemroot\system32\senekawfpshfep.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@senekawi.dll \systemroot\system32\senekajnwtdwok.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@seneka.dat \systemroot\system32\senekaptvviguy.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x36 0x48 0xDC 0x66 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x84 0x6A 0x61 0xAF ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x31 0x63 0x71 0x04 ...

Reg HKLM\SYSTEM\ControlSet004\Services\seneka

Reg HKLM\SYSTEM\ControlSet004\Services\seneka@start 1

Reg HKLM\SYSTEM\ControlSet004\Services\seneka@type 1

Reg HKLM\SYSTEM\ControlSet004\Services\seneka@imagepath \systemroot\system32\drivers\senekamimgqldm.sys

Reg HKLM\SYSTEM\ControlSet004\Services\seneka@group file system

Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules

Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@seneka.dll \systemroot\system32\senekagsiaelje.dll

Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@seneka.sys \systemroot\system32\drivers\senekamimgqldm.sys

Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@senekalog.dat \systemroot\system32\senekawfpshfep.dat

Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@senekawi.dll \systemroot\system32\senekajnwtdwok.dll

Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@seneka.dat \systemroot\system32\senekaptvviguy.dat

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x36 0x48 0xDC 0x66 ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x84 0x6A 0x61 0xAF ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x31 0x63 0x71 0x04 ...

---- EOF - GMER 1.0.14 ----

Malwarebytes' Anti-Malware 1.33

Database version: 1698

Windows 5.1.2600 Service Pack 2

1/27/2009 3:30:55 AM

mbam-log-2009-01-27 (03-30-55).txt

Scan type: Quick Scan

Objects scanned: 50997

Time elapsed: 3 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\chert5-998.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\winsinstall.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\9DL2NE6F\winsinstall[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D6FKCDMN\apstpldr.dll[1].htm (Adware.BHO) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.33

Database version: 1702

Windows 5.1.2600 Service Pack 2

1/28/2009 2:48:46 PM

mbam-log-2009-01-28 (14-48-46).txt

Scan type: Quick Scan

Objects scanned: 50837

Time elapsed: 8 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.

it came up again after i restarted/

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-01-28 15:00:21

Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

SSDT spgg.sys ZwCreateKey [0xBA6A80E0]

SSDT B34C2E64 ZwCreateThread

SSDT spgg.sys ZwEnumerateKey [0xBA6C6CA2]

SSDT spgg.sys ZwEnumerateValueKey [0xBA6C7030]

SSDT spgg.sys ZwOpenKey [0xBA6A80C0]

SSDT B34C2E50 ZwOpenProcess

SSDT B34C2E55 ZwOpenThread

SSDT spgg.sys ZwQueryKey [0xBA6C7108]

SSDT spgg.sys ZwQueryValueKey [0xBA6C6F88]

SSDT spgg.sys ZwSetValueKey [0xBA6C719A]

SSDT B34C2E5F ZwTerminateProcess

SSDT B34C2E5A ZwWriteVirtualMemory

INT 0x62 ? 8A863BF8

INT 0x63 ? 8A662BF8

INT 0x73 ? 8A662BF8

INT 0x73 ? 8A662BF8

INT 0x82 ? 8A863BF8

INT 0x83 ? 8A863BF8

INT 0x84 ? 8A662BF8

INT 0xA4 ? 8A662BF8

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2FE2 80503DB6 2 Bytes [ 4C, B3 ]

? nmkh.sys The system cannot find the file specified. !

? spgg.sys The system cannot find the file specified. !

.text USBPORT.SYS!DllUnload B771662C 5 Bytes JMP 8A6621D8

.text adfgoq7j.SYS B7499386 35 Bytes [ 00, 00, 00, 00, 00, 00, 20, ... ]

.text adfgoq7j.SYS B74993AA 24 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]

.text adfgoq7j.SYS B74993C4 3 Bytes [ 00, 70, 02 ]

.text adfgoq7j.SYS B74993C9 1 Byte [ 2E ]

.text adfgoq7j.SYS B74993CB 9 Bytes [ 00, 00, 5C, 02, 00, 00, 00, ... ]

.text ...

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\MSN Messenger\MsnMsgr.Exe[604] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\MsnMsgr.Exe (Messenger/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [bA6A9040] spgg.sys

IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [bA6A913C] spgg.sys

IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [bA6A90BE] spgg.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [bA6A97FC] spgg.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [bA6A96D2] spgg.sys

IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [bA6B9048] spgg.sys

IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!KfAcquireSpinLock] 8A000002

IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!READ_PORT_UCHAR] 83880846

IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!KeGetCurrentIrql] 000001C0

IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!KfRaiseIrql] 2C4EB70F

IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!KfLowerIrql] 8303C183

IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!HalGetInterruptVector] D103FCE1

IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!HalTranslateBusAddress] 2E7E8366

IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!KeStallExecutionProcessor] 8D1C7400

IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!KfReleaseSpinLock] 83893204

IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00000218

IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!READ_PORT_USHORT] 2E4EB70F

IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 021C8B89

IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[HAL.dll!WRITE_PORT_UCHAR] B70F0000

IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[WMILIB.SYS!WmiSystemControl] 03D00304

IAT \SystemRoot\System32\Drivers\adfgoq7j.SYS[WMILIB.SYS!WmiCompleteRequest] 0CB389F2

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A8621F8

Device \FileSystem\Fastfat \FatCdrom 897F9500

Device \Driver\sptd \Device\322869262 spgg.sys

Device \Driver\usbohci \Device\USBPDO-0 8A65A1F8

Device \Driver\PCI_PNP5512 \Device\00000051 spgg.sys

Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A8D31F8

Device \Driver\dmio \Device\DmControl\DmConfig 8A8D31F8

Device \Driver\dmio \Device\DmControl\DmPnP 8A8D31F8

Device \Driver\dmio \Device\DmControl\DmInfo 8A8D31F8

Device \Driver\usbohci \Device\USBPDO-1 8A65A1F8

Device \Driver\usbohci \Device\USBPDO-2 8A65A1F8

Device \Driver\usbohci \Device\USBPDO-3 8A65A1F8

Device \Driver\usbohci \Device\USBPDO-4 8A65A1F8

Device \Driver\usbehci \Device\USBPDO-5 8A6111F8

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A8641F8

Device \Driver\NetBT \Device\NetBT_Tcpip_{72702F06-F450-47C2-A1C4-7D228F1326A7} 8A2BF500

Device \Driver\Cdrom \Device\CdRom0 8A6051F8

Device \Driver\Cdrom \Device\CdRom1 8A6051F8

Device \Driver\atapi \Device\Ide\IdePort0 8A8631F8

Device \Driver\atapi \Device\Ide\IdePort1 8A8631F8

Device \Driver\atapi \Device\Ide\IdePort2 8A8631F8

Device \Driver\atapi \Device\Ide\IdePort3 8A8631F8

Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-12 8A8631F8

Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-a 8A8631F8

Device \Driver\Cdrom \Device\CdRom2 8A6051F8

Device \Driver\NetBT \Device\NetBt_Wins_Export 8A2BF500

Device \Driver\USBSTOR \Device\00000083 897AF1F8

Device \Driver\USBSTOR \Device\00000084 897AF1F8

Device \Driver\NetBT \Device\NetbiosSmb 8A2BF500

Device \Driver\NetBT \Device\NetBT_Tcpip_{A902EF5F-D631-4E5B-ACE8-4A99B0A65BC1} 8A2BF500

Device \Driver\usbohci \Device\USBFDO-0 8A65A1F8

Device \Driver\usbohci \Device\USBFDO-1 8A65A1F8

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 899071F8

Device \Driver\TwoRabts \Device\0000007b 8A4BF500

Device \Driver\usbohci \Device\USBFDO-2 8A65A1F8

Device \FileSystem\MRxSmb \Device\LanmanRedirector 899071F8

Device \Driver\usbohci \Device\USBFDO-3 8A65A1F8

Device \Driver\usbohci \Device\USBFDO-4 8A65A1F8

Device \Driver\Ftdisk \Device\FtControl 8A8641F8

Device \Driver\usbehci \Device\USBFDO-5 8A6111F8

Device \Driver\cdspacex \Device\Scsi\cdspacex1Port5Path0Target0Lun0 899051F8

Device \Driver\adfgoq7j \Device\Scsi\adfgoq7j1 8A57C500

Device \Driver\adfgoq7j \Device\Scsi\adfgoq7j1Port4Path0Target0Lun0 8A57C500

Device \Driver\cdspacex \Device\Scsi\cdspacex1 899051F8

Device \FileSystem\Fastfat \Fat 897F9500

Device \FileSystem\Cdfs \Cdfs 8A417500

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x36 0x48 0xDC 0x66 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x9A 0x96 0x1F 0xAC ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x45 0x95 0x76 0x3C ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x36 0x48 0xDC 0x66 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x84 0x6A 0x61 0xAF ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x31 0x63 0x71 0x04 ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x36 0x48 0xDC 0x66 ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x84 0x6A 0x61 0xAF ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x31 0x63 0x71 0x04 ...

---- EOF - GMER 1.0.14 ----

Link to post
Share on other sites

Volume in drive C has no label.

Volume Serial Number is 5CA4-B134

Directory of C:\WINDOWS\system32

01/25/2009 06:19 AM 125,440 userinit.exe

1 File(s) 125,440 bytes

Directory of C:\WINDOWS\system32\dllcache

01/25/2009 06:19 AM 125,440 userinit.exe

1 File(s) 125,440 bytes

Total Files Listed:

2 File(s) 250,880 bytes

0 Dir(s) 192,150,372,352 bytes free

Link to post
Share on other sites

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

Link to post
Share on other sites

ComboFix 09-01-21.04 - Administrator 2009-01-30 7:21:44.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1461 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\998.exe

c:\windows\system32\pdaqbalk.ini

c:\windows\system32\senekaptvviguy.dat

c:\windows\system32\senekawfpshfep.dat

c:\windows\system32\test.ttt

c:\windows\system32\uniq.tll

c:\windows\system32\win32hlp.cnf

c:\windows\Tasks\iwzidfxa.job

Infected copy of c:\windows\system32\userinit.exe was found and disinfected

Restored copy from - c:\windows\system32\init32.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Service_seneka

((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-30 )))))))))))))))))))))))))))))))

.

2009-01-28 16:31 . 2009-01-28 16:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Musicnotes

2009-01-23 15:08 . 2009-01-23 15:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite

2009-01-23 14:55 . 2009-01-23 14:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-26 13:23 . 2008-12-26 13:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles

2008-12-25 08:29 . 2008-12-25 08:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-12-25 08:28 . 2008-12-25 08:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2508-01-09 20:32 --------- d-----w c:\program files\DIFX

2508-01-09 20:20 17,801 ----a-w c:\windows\system32\drivers\AegisP.sys

2508-01-09 20:20 --------- d-----w c:\program files\Linksys Wireless-G PCI Adapter with SRX

2508-01-09 20:12 --------- d-----w c:\program files\microsoft frontpage

2009-01-30 12:26 --------- d-----w c:\program files\Steam

2009-01-30 12:25 --------- d-----w c:\documents and settings\Administrator\Application Data\Vidalia

2009-01-30 12:25 --------- d-----w c:\documents and settings\Administrator\Application Data\tor

2009-01-30 12:25 --------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire

2009-01-28 21:31 --------- d-----w c:\program files\Musicnotes

2009-01-28 18:59 --------- d-----w c:\program files\World of Warcraft

2009-01-28 09:51 --------- d-----w c:\program files\Warcraft III

2009-01-25 23:04 --------- d-----w c:\program files\Trend Micro

2009-01-23 21:22 --------- d-----w c:\program files\reFX

2009-01-23 20:42 --------- d-----w c:\program files\DAEMON Tools Lite

2009-01-23 20:36 --------- d-----w c:\program files\DAEMON Tools Toolbar

2009-01-23 20:33 --------- d-----w c:\documents and settings\Administrator\Application Data\DAEMON Tools Pro

2009-01-23 20:33 --------- d-----w c:\documents and settings\Administrator\Application Data\DAEMON Tools Lite

2009-01-23 20:33 --------- d-----w c:\documents and settings\Administrator\Application Data\DAEMON Tools

2009-01-23 19:55 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-01-23 19:55 --------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-01-23 19:37 717,296 ----a-w c:\windows\system32\drivers\sptd.sys

2009-01-14 21:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-14 21:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2008-12-31 00:50 --------- d-----w c:\program files\Diablo II

2008-12-28 06:49 --------- d-----w c:\program files\Native Instruments

2008-12-28 06:49 --------- d-----w c:\program files\Common Files\Native Instruments

2008-12-26 21:53 137,688 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2008-12-25 15:49 --------- d-----w c:\program files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter

2008-12-25 13:29 --------- d-----w c:\program files\iTunes

2008-12-25 13:29 --------- d-----w c:\program files\iPod

2008-12-25 13:29 --------- d-----w c:\program files\Common Files\Apple

2008-12-25 13:29 --------- d-----w c:\documents and settings\Administrator\Application Data\Apple Computer

2008-12-25 13:28 --------- d-----w c:\program files\QuickTime

2008-12-25 13:26 --------- d-----w c:\program files\Apple Software Update

2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys

2008-05-04 10:07 22,328 ----a-w c:\documents and settings\Administrator\Application Data\PnkBstrK.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

"AIM"="c:\program files\AIM\aim.exe" [2004-06-07 61440]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"Vidalia"="c:\program files\Vidalia Bundle\Vidalia\vidalia.exe" [2007-11-22 12889088]

"Steam"="c:\program files\steam\steam.exe" [2008-10-09 1410296]

"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-12-27 2356088]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-07-09 36352]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]

"BigDog303"="c:\windows\VM303_STI.EXE" [2005-06-23 61440]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-30 185872]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-06-18 147456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

LCDPlayer.lnk - c:\program files\SPACE INTERNATIONAL\CDSpace 5\LCDPlyer.exe [2008-03-13 323584]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=nlycoo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Steam\\steamapps\\godsendxd\\counter-strike\\hl.exe"=

R1 XSPACEWG;XSPACEWG;c:\windows\system32\drivers\XSpaceWg.sys [2008-03-13 3543]

R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2008-02-24 37376]

R3 cdspacex;cdspacex;c:\windows\system32\drivers\CDSPACEX.sys [2008-03-13 22571]

R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2008-07-09 31616]

R3 TwoRabts;Two Rabbits Live Bus;c:\windows\system32\drivers\TwoRabts.sys [2008-03-13 11120]

R4 WMP54GXSVC;WMP54GXSVC;c:\program files\Linksys Wireless-G PCI Adapter with SRX\WLService.exe [2508-01-09 41025]

S3 MA763010;M-Audio Fast Track;c:\windows\system32\drivers\MA763010.sys [2008-07-29 30848]

S3 XDva037;XDva037;\??\c:\windows\system32\XDva037.sys --> c:\windows\system32\XDva037.sys [?]

S3 XDva039;XDva039;\??\c:\windows\system32\XDva039.sys --> c:\windows\system32\XDva039.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

\Shell\AutoRun\command - D:\Setup.exe

.

Contents of the 'Scheduled Tasks' folder

2009-01-27 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-DriverUpdaterPro - c:\program files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe

Notify-mlJBTlMD - mlJBTlMD.dll

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

Trusted Zone: aol.com\free

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\qlmsgevy.default\

FF - prefs.js: browser.search.selectedEngine - DAEMON Search

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\qlmsgevy.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-30 07:26:26

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

BigDog303 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@?9????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)

c:\windows\system32\CLBCATQ.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\rundll32.exe

c:\program files\Vidalia Bundle\Tor\tor.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PnkBstrB.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\MsPMSPSv.exe

c:\program files\Linksys Wireless-G PCI Adapter with SRX\WMP54GX.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\iTunes\iTunes.exe

.

**************************************************************************

.

Completion time: 2009-01-30 7:30:15 - machine was rebooted [Administrator]

ComboFix-quarantined-files.txt 2009-01-30 12:30:13

Pre-Run: 192,004,530,176 bytes free

Post-Run: 194,787,844,096 bytes free

191 --- E O F --- 2009-01-15 08:00:56

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:43:21 PM, on 1/30/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\VM303_STI.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Program Files\SPACE INTERNATIONAL\CDSpace 5\LCDPlyer.exe

C:\Program Files\Vidalia Bundle\Tor\tor.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Linksys Wireless-G PCI Adapter with SRX\WLService.exe

C:\Program Files\Linksys Wireless-G PCI Adapter with SRX\WMP54GX.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Ventrilo\Ventrilo.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [bigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"

O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent

O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

O4 - Global Startup: LCDPlayer.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - AppInit_DLLs: nlycoo.dll

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing)

O23 - Service: Fast Track Installer (FastTrackInstallerService) - Unknown owner - C:\Program Files\M-Audio Fast Track\GBInst.exe (file missing)

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: WMP54GXSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Adapter with SRX\WLService.exe

--

End of file - 6522 bytes

Link to post
Share on other sites

i attached a file named godsendxd1.zip, unzip/extract appinifix.reg to your desktop. Double-Click on apinifix.reg and allow it to be merged into Windows registry. Reboot your computer

Please update MBAM, run a quick scan, and post the results along with a fresh HIjackthis log. Thanks

godsendxd1.zip

godsendxd1.zip

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.